CVE-2024-43398XML Entity Expansion in Rexml

CWE-776XML Entity Expansion15 documents10 sources
Severity
5.9MEDIUMNVD
OSV5.3
EPSS
1.1%
top 21.60%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ruby RexmlRuby-lang Rexml
Timeline
PublishedAug 22
Latest updateNov 3

Description

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. The REXML gem 3.3.6 or later include the patch to fix the vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

CVEListV5ruby/rexml< 3.3.6
NVDruby-lang/rexml< 3.3.6

🔴Vulnerability Details

5
OSV
ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities2025-04-07
OSV
REXML denial of service vulnerability2024-08-22
CVEList
REXML denial of service vulnerability2024-08-22
OSV
CVE-2024-43398: REXML is an XML toolkit for Ruby2024-08-22
GHSA
REXML denial of service vulnerability2024-08-22

📋Vendor Advisories

8
Apple
CVE-2024-43398: macOS Tahoe 26.12025-11-03
Apple
CVE-2024-43398: macOS Sonoma 14.8.22025-11-03
Apple
CVE-2024-43398: macOS Sequoia 15.7.22025-11-03
Ubuntu
Ruby vulnerabilities2025-04-07
Ubuntu
Ruby vulnerabilities2025-02-06

💬Community

1
HackerOne
CVE-2024-43398: DoS vulnerability in REXML2025-04-27
CVE-2024-43398 — XML Entity Expansion in Ruby Rexml | cvebase